How Vendor Access Management is Like Having a Plumber at Your Home

One of the more unique challenges a Solutions Engineer faces centers around the ability to turn complex technical subjects into plain old conversation. As a Solutions Engineer, I have to be able to explain the technical workings of our products to all audiences, from CEOs to engineers, while ensuring my explanations resonate with the audience.

My wife is sharp but decidedly anti-technical, so she’s a good test subject for these things. When I started working for SecureLink, she immediately asked me the same question I’d expect most folks to ask in normal conversation when we start talking about what we do for work- what does SecureLink do?

At this point, you can throw out the “ol’ elevator pitch”, and blind them with technical jargon, right? The classic “I’ll throw a bunch of indecipherable terms at you so you leave me alone and don’t realize that I don’t know how to tell a real human being what we do” stuff? That’s never really been my thing. If I tell my wife, “SecureLink protects you from third-party data breaches, by identifying your vendors, controlling their access to your environment, and auditing every action they take”, she’s going to glaze over, and say, “What the… ???”

What is vendor privileged access management?

Knowing that, what I needed was an analogy– a way to take something (like vendor privileged access management) and relate it to something we’re all familiar with. So, imagine this, if you will: you’re on vacation in some far off, beautiful spot you’ve dreamed about going to for your whole life. Everything is perfect, down to the last detail. Until… (that dreaded “until”)… you get a call letting you know that there’s a water leak in your bathroom at home.

Now, at this point, you do what every other normal, sane person would do- you call a plumber, tell them where to find your spare key, and trust them to get the job done in your house alone, right? You know, that key that you hide in the garage or under a “rock” (we all know it isn’t real).

If you just nodded your head and agreed that’s the path you would take, we need to have a talk! Of course you don’t (and shouldn’t!) do that– ever! Who in their right mind would let a stranger into their house unattended? And yet, many companies do just that today with their third parties, contractors, and vendors.

Identify, control, and audit your vendors AND your plumber

Ideally, what you’re really going to do is to call a trusted friend that you’ve made arrangements with to handle this sort of thing in advance. Your friend knows you’re understandably nervous about having a stranger in your house, so they’re going to take a few steps to ease your mind, so you can get back to enjoying that well-deserved vacation! First, your friend arrives in advance of the plumber, opens the house, and then goes through the house and shuts the doors to all the rooms, preventing the plumber from seeing things that are none of their business.

Then there are some steps that might seem annoying, but are super crucial to ensure safety and security. So, your friend greets the plumber at the door, and checks for an ID, verifying that they’re who they say they are, and are the plumber you told your friend to expect, and that the plumber works for the company you contracted for the repair. After your friend is satisfied with the answers and “checked” all the boxes, your friend then takes the plumber straight to the bathroom in question, lets them get to work, and sends you a text message to let you know that everything is going smoothly.

But, your friend knows you well and knows that you trust folks to do their job, but that you like to check up on what they’re doing, just to make sure it’s done to your standards. So rather than go chill on the couch, your friend hangs out in the doorway to the bathroom with their phone and video records the plumber in all his glory, plumber’s crack and all. Once he’s done patching up the leak, she escorts him to the door, locks up the house, and shoots you a text letting you know that all is well.

What your friend has just done is identified the plumber and made sure that he’s the guy you called before she let him in the house. Then, she controlled his access to your house by guiding him to the problem spot, while also preventing him from having access to off limit areas of the house. Then, she audited his work for you by recording his actions and saving them for you, if need to review them later, and notified you about the plumber’s progress. In the process, she also protected you from the many ways that the plumber could’ve taken advantage of the situation with you being out of town.

This is exactly what vendor privileged access management does for you with your third-party vendors! 2 out of every 5 companies will experience a security breach through one of their third-party vendors, and it will cost them, on average, $4,000,000 to clean up the mess. And yet, many companies happily let their third parties access their networks using a VPN connection without any form of multi-factor authentication (MFA) or access control– this is exactly like telling that plumber where your house key is, and letting him work without supervision! Other companies have implemented MFA and access controls, but have no way to confirm the work the vendor rep performs, so they can’t quickly identify a breach and minimize its effects.

Identify your third parties down to the individual vendor rep, not just a vendor company. Control their access by showing them only the specific resources you want them to be aware of, and nothing else. And, of course, audit their every move so that you can easily tie together where they went, and what they did, while they were there.

In the end, just like your house is more secure with the fewer number of people who know where your spare key is hidden, your company is only as secure as your least secure third-party vendor. To learn more about identifying, controlling, and auditing your vendors, check out our brochure that helps you better understand which vendor access management platform is the best for you.